Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6df39836da496a46…

MALICIOUS

Office (OOXML) / .XLSX

745.7 KB Created: 2020-08-20 17:59:18 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-03-30
MD5: cfc62db8aedaabb744696b70b9ffe5b0 SHA-1: e17e7e60bfdb3edd93c8e7c02d1ac1521d2b1dc6 SHA-256: 6df39836da496a469071cb5ad011593a0bffdf94337889de0e8611eac8a58359
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The document contains invoice-like text, suggesting a lure to entice the user. Static analysis detected an embedded OLE object, specifically an Equation Editor object, which is known to be exploited to deliver malicious payloads. The anomaly in the Ole10Native stream size indicates a potential payload within the Equation Editor object.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/PLfaclZeL.eG contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cc43e23bfde734b2a11e849788e88a75aa31fd2d827fbd2fdeb22cc3717e7904		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/PLfaclZeL.eG 889856 bytes
ooxml_oleobject_00_ole10native_00.bin
4c14ac6eaeb2d88d4c29d6667cce879962fb60661c29277e53564deebed12a69		 ole-package OOXML xl/embeddings/PLfaclZeL.eG Ole10Native stream: OlE10natiVE 880536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.